rosa-build/spec/integration/api_defender_spec.rb

137 lines
4.4 KiB
Ruby
Raw Normal View History

2012-12-24 19:11:57 +00:00
require 'spec_helper'
2015-02-19 01:53:47 +00:00
describe ApiDefender, type: :request do
def get_basic_auth user = @user, by_token = false, by_email = false
2012-12-24 19:11:57 +00:00
u,pass = if by_token
2012-12-26 14:30:05 +00:00
[user.authentication_token, '']
elsif by_email
[user.email, @password]
2012-12-24 19:11:57 +00:00
else
[user.uname, @password]
2012-12-24 19:11:57 +00:00
end
ActionController::HttpAuthentication::Basic.encode_credentials u, pass
end
def get_request auth_user = nil, by_token = false, by_email = false
auth = auth_user ? {'HTTP_AUTHORIZATION' => get_basic_auth(auth_user, by_token, by_email)} : {}
2012-12-26 14:42:07 +00:00
get "/api/v1/users/#{@user.id}.json", {}, auth
end
def get_request2 auth_user = nil, by_token = false, by_email = false
auth_user = FactoryGirl.create(:user) if !auth_user && APP_CONFIG['anonymous_access'] == false
get_request auth_user, by_token, by_email
end
2012-12-24 19:11:57 +00:00
before do
2014-03-18 13:54:16 +00:00
stub_symlink_methods
2012-12-26 13:07:54 +00:00
@redis = Redis.new
2012-12-24 19:11:57 +00:00
@password = '123456'
2012-12-26 14:30:05 +00:00
@rate_limit = 3 # dont forget change in max_per_window
2012-12-26 13:07:54 +00:00
2012-12-26 14:30:05 +00:00
ApiDefender.class_eval("def cache; Redis.new; end; def max_per_window; return #{@rate_limit}; end;")
2012-12-24 19:11:57 +00:00
end
before(:each) do
2014-01-21 04:51:49 +00:00
@user = FactoryGirl.create :user, password: @password
@system_user = FactoryGirl.create :user, role: 'system'
2012-12-24 19:11:57 +00:00
end
if APP_CONFIG['anonymous_access'] == true
context 'for anonymous user' do
it "should return the total limit" do
get_request
response.headers['X-RateLimit-Limit'].should == @rate_limit.to_s
end
it "should return the correct limit usage for anonymous user" do
get_request
response.headers['X-RateLimit-Remaining'].should == (@rate_limit-1).to_s
end
it "should return the correct limit usage for anonymous user after authenticated access" do
get_request @user
get_request
response.headers['X-RateLimit-Remaining'].should == (@rate_limit-2).to_s
end
it "should forbidden anonymous user after exceeding limit rate" do
(@rate_limit+1).times {get_request}
response.status.should == 403
end
2012-12-26 14:35:15 +00:00
end
else
it "should forbidden anonymous access" do
2012-12-26 14:42:07 +00:00
get_request
response.status.should == 401
2012-12-26 14:35:15 +00:00
end
2012-12-24 19:11:57 +00:00
end
2012-12-26 14:35:15 +00:00
context 'for user' do
it "should return the correct limit usage for auth user" do
2012-12-26 14:42:07 +00:00
get_request @user
2012-12-26 14:35:15 +00:00
response.headers['X-RateLimit-Remaining'].should == (@rate_limit-1).to_s
end
it "should allow auth by uname and password" do
(@rate_limit+1).times {get_request2}
get_request @user
response.headers['X-RateLimit-Remaining'].should == (@rate_limit-1).to_s
end
it "should allow auth by email and password" do
(@rate_limit+1).times {get_request2}
get_request @user, false, true
response.headers['X-RateLimit-Remaining'].should == (@rate_limit-1).to_s
end
it "should allow auth by token" do
(@rate_limit+1).times {get_request2}
get_request @user, true
response.headers['X-RateLimit-Remaining'].should == (@rate_limit-1).to_s
2012-12-26 14:35:15 +00:00
end
2012-12-26 14:30:05 +00:00
it "should return the correct limit usage for auth user after other user" do
get_request2
2012-12-26 14:42:07 +00:00
get_request @user
2012-12-26 14:35:15 +00:00
response.headers['X-RateLimit-Remaining'].should == (@rate_limit-1).to_s
end
2012-12-26 14:30:05 +00:00
2012-12-26 14:35:15 +00:00
it "should forbidden user after exceeding limit rate" do
2012-12-26 14:42:07 +00:00
(@rate_limit+1).times {get_request @user}
2012-12-26 14:35:15 +00:00
response.status.should == 403
end
2012-12-26 14:30:05 +00:00
it "should not forbidden user after exceeding limit rate of the other user" do
(@rate_limit+1).times {get_request2}
2012-12-26 14:42:07 +00:00
get_request @user
2012-12-26 14:35:15 +00:00
response.status.should == 200
end
2012-12-26 14:30:05 +00:00
end
2012-12-26 14:35:15 +00:00
context 'for system user' do
it "should not return the limit usage for system user" do
2012-12-26 14:42:07 +00:00
get_request @system_user, true
2012-12-26 14:35:15 +00:00
response.headers['X-RateLimit-Limit'].should_not == @rate_limit.to_s
end
2012-12-26 14:30:05 +00:00
2012-12-26 14:35:15 +00:00
it "should not forbidden system user" do
2012-12-26 14:42:07 +00:00
(@rate_limit+1).times {get_request @system_user, true}
2012-12-26 14:35:15 +00:00
response.status.should == 200
2012-12-26 14:30:05 +00:00
end
2012-12-24 19:11:57 +00:00
end
2013-07-04 13:44:48 +01:00
context 'for allowed addresses' do
let(:remote_addr) { APP_CONFIG['allowed_addresses'].first }
2013-07-04 13:44:48 +01:00
it 'should not return the limit usage for allowed address' do
get "/api/v1/users/#{@user.id}.json", {}, {'REMOTE_ADDR' => remote_addr }
response.headers['X-RateLimit-Limit'].should_not == @rate_limit.to_s
end
2013-07-04 13:44:48 +01:00
it 'should not forbidden allowed address' do
(@rate_limit+1).times { get "/api/v1/users/#{@user.id}.json", {}, {'REMOTE_ADDR' => remote_addr } }
response.status.should == 200
end
end
2012-12-24 19:11:57 +00:00
end